Allowing password authentication over SSH for only a specific groupPublished 3 years ago
For security reasons it's generally advisable to disable password authentication on publicly accessible SSH servers, but n some shared hosting configurations it can be convenient to grant some users the ability to use passwords.
This one off configuration will disable password authentication for all users, then add a rule which explicitly grants users within a specific group the ability to use passwords for authentication.
As a precaution, be sure to keep an active SSH session open while you're applying these configuration changes, and ensure you're able to authenticate with SSH before closing it.
Create the new group
$ sudo groupadd sshpasswd
Find any references to
/etc/ssh/sshd_config which aren't commented out and either remove or alter (to
no) each of these entries. This will prevent all users who don't specifically match a rule allowing password authentication from using this authentication method.
Then, append the following to the very end of the file:
Match group sshpasswd PasswordAuthentication yes
And instruct SSHd to reload its configuration:
$ sudo service sshd reload
From now on, managing authentication is merely a case of managing group membership.
Enabling password authentication
$ sudo usermod -aG sshpasswd jbloggs
Disabling password authentication
$ sudo usermod -G jbloggs
Listing all users granted password authentication
$ grep -E '^sshpasswd:' /etc/group | cut -d: -f4